This Trojan uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it makes use of the Summit on the Development Issues of G-20 of Korea.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

It drops a file detected as TROJ_AGENT.JAAK.

It drops a non-malicious .DOC file. When the said file is opened, it executes an instance of Microsoft Word. MS Word then loads the file as a normal .DOC file.

This Trojan bears the file icons of certain applications to avoid easy detection and consequent removal. It executes then deletes itself afterward.

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

AdobeUpdate=%User Temp%\Wininet.exe

To delete the registry value this malware created:

Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.

In the left panel of the Registry Editor window, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run

In the right panel, locate and delete the entry:AdobeUpdate = %User Temp%\Wininet.exe

There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.

{malware path}\Korean G20 Development Issue Paper.doc

To delete the malware/grayware/spyware file:

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.

In the Named input box, type:

{malware path}\Korean G20 Development Issue Paper.doc

In the Look In drop-down list, select My Computer, then press Enter.

Once located, select the file then press SHIFT+DELETE to permanently delete the file.

Step 5

Scan your computer with your Trend Micro product to delete files detected as TROJ_DROPPER.WTH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.